Admin endpoint without authentication

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

An administrative endpoint is exposed without authentication, allowing unauthorized users to access sensitive functionality.

Rationale

This finding detects when an endpoint:

Remediation

  • Validate that the code isn’t expecting the user to be authenticated to have access to this resource (AuthN). If this API is, in fact, authenticated, ensure your code is instrumented correctly. Datadog auto-instruments many event types. Review your instrumented business logic events.